gozi | f53a5dc044ad8b769397a3f6a36747cb5a66548e13ed4a7ea313337545c3c3aa | Triage

Sharing

General

Target

7b70469bba9d761d9b90c49c596575d6.bin
Size

421B
Sample

231007-b882yagg5w
MD5

2724334c6a53f2c236c14b2d248b56fa
SHA1

a6796935ad6f476f21776e1bc073b6334ab3340b
SHA256

f53a5dc044ad8b769397a3f6a36747cb5a66548e13ed4a7ea313337545c3c3aa
SHA512

664b09650d55fb67f38aa69eed47fea0e02a6f226e4d94fdf8d5982217ab0b06b06e5dc73832a0d348b51e8e8c605abb51bd773a879f9a3d503eec6483393493

Score

10^/10

gozi 5050 banker isfb trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://communicalink.com/putty.exe

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes

base_path
/jerry/
build
250260
exe_type
loader
extension
.bob
server_id
50

rsa_pubkey.plain

aes.plain

Targets

- Target
  
  63b506c0917d35cbf539bad3ad26d82ea3edbe50ba3f09f6e39a03c969fa8cfd.ps1
- Size
  
  172B
- MD5
  
  7b70469bba9d761d9b90c49c596575d6
- SHA1
  
  ca89ca05ee36b580f713b1e17bb4694506069622
- SHA256
  
  63b506c0917d35cbf539bad3ad26d82ea3edbe50ba3f09f6e39a03c969fa8cfd
- SHA512
  
  855656cadc203011b9ee0d66309c399e9641461682fe7cd930de076964aea976aba20919e2cea34f0b5ce8400dffd0fa44564ddd94b0746e0c6e0d74de682984
Score

10^/10

gozi 5050 banker isfb trojan
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

gozi5050bankerisfbtrojan

behavioral2

gozi5050bankerisfbtrojan